Dutch Police Arrest Alleged CoinVault Ransomware Authors

Ransomware has emerged as major threat to consumers and businesses in recent years, and law enforcement agencies and security researchers have taken note. Authorities last year disrupted the Cryptolocker ransomware operation and now Dutch police have arrested two young men they believe are involved in the CoinVault ransomware.

The arrests came Monday in the Netherlands and authorities allege that the two men, ages 18 and 22, were involved with the CoinVault campaign that began in May 2014 and went after users in nearly two dozen countries. CoinVault isn’t as well-known or widespread as Cryptolocker, Cryptowall, or Teslacrypt, but its goals and effect are the same: stealing money from desperate victims.

The Dutch National High Tech Crime Unit on Monday arrested the two men after a long investigation that included the help of researchers from Kaspersky Lab. Researchers identified the initial versions of CoinVault in May 2014 and Kaspersky published a detailed report on the ransomware that November. Soon after, the CoinVault campaign stopped and Kaspersky published a list of decryption keys to help victims recover their data without paying the ransom.

Like all ransomware, CoinVault is designed to scare victims into paying a ransom in order to get back their compromised data. Cryptoransomware, including CoinVault, goes a step further and encrypts victims’ files, making them generally unrecoverable until the victims pay the ransom. The payment often is demanded in Bitcoin, and can range up to the equivalent of several hundred dollars.

After Kaspersky’s researchers published the CoinVault report and decryption aid, researchers from Panda Security contacted them and provided two new samples of the ransomware, indicating that the CoinVault attackers had become active again. The researchers analyzed the samples and found indications of Dutch involvement and gave them to the Dutch national police.

“In April 2015 a new sample was spotted in the wild. Interestingly the sample had flawless Dutch phrases throughout the binary. Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case. Winning the battle against CoinVault has been a joint effort between law enforcement and private companies, and we have achieved a great result: the apprehension of two suspects,” said Jornt van der Wiel, a security researcher at Kaspersky.

The Dutch police took control of the command-and-control server that the CoinVault attackers were using, and then a few months later a new variant of the ransomware, called BitCryptor emerged. Researchers say it likely is a direct descendant of CoinVault, as it contains much of the same code.

“However, BitCryptor is not like the previous versions of CoinVault targeting a Dutch audience. All the written Dutch has been removed (as have all the links to CoinVault). A little feature has been added, that runs in the background and checks if the victim has already paid,” van der Wiel and Santiago Pontiroli of Kaspersky wrote in a blog post.

CoinVault has infected more than 1,500 machines and has hit victims in a variety of countries, including the Netherlands, Germany, United States, UK, and France.